US11361080B2ActiveUtilityA1

Reducing the secure boot time of full network operating system images using a combination of partitioning, staging and amortized verification techniques

42
Assignee: CISCO TECH INCPriority: Apr 13, 2020Filed: Apr 13, 2020Granted: Jun 14, 2022
Est. expiryApr 13, 2040(~13.8 yrs left)· nominal 20-yr term from priority
G06F 21/64G06F 21/602G06F 21/575H04L 9/3247G06F 9/4401G06F 21/78G06F 21/577G06F 21/57G06F 8/63
42
PatentIndex Score
0
Cited by
15
References
14
Claims

Abstract

The present disclosure is directed to reducing the secure boot time of software images and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more components to perform operations including identifying a software image for a first secure boot, the software image stored in a persistent storage and comprising a kickstart software package and a system software package, fetching the software image, including the kickstart software package and the system software package, from the persistent storage to a memory, verifying one or more digital signatures associated with the software image, booting the kickstart software package of the software image from the memory, and staging the system software package in the persistent storage.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system, comprising:
 one or more processors; and 
 one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising:
 identifying a software image for a first secure boot, the software image stored in a persistent storage and comprising a kickstart software package and a system software package; 
 fetching the software image, including the kickstart software package and the system software package, from the persistent storage to a memory; 
 verifying one or more digital signatures associated with the software image; 
 booting the kickstart software package of the software image from the memory; 
 staging the system software package in the persistent storage; 
 identifying the software image for a subsequent secure boot; 
 determining, based on a look-up of a filename associated with the software image, that the system software package of the software image is staged in the persistent storage; 
 fetching the kickstart software package from the persistent storage; 
 verifying a digital signature of the kickstart software package; 
 
 booting the kickstart software package; 
 verifying hash information associated with the system software package; and
 booting the system software package from the persistent storage. 
 
 
     
     
       2. The system of  claim 1 , wherein the operation of staging comprises:
 transferring the system software package from the memory to a partition in the persistent storage; and 
 writing the filename associated with the software image in a non-volatile memory. 
 
     
     
       3. The system of  claim 2 , the operations further comprising:
 storing the hash information associated with the system software package in the partition of the persistent storage. 
 
     
     
       4. The system of  claim 1 , wherein the hash information is verified using asymmetric cryptography. 
     
     
       5. The system of  claim 1 , the operations further comprising:
 creating a device mapper to establish a running context using the verified hash information associated with the system software package. 
 
     
     
       6. A method, comprising:
 identifying a software image for a first secure boot, the software image stored in a persistent storage and comprising a kickstart software package and a system software package; 
 fetching the software image, including the kickstart software package and the system software package, from the persistent storage to a memory; 
 verifying one or more digital signatures associated with the software image; 
 booting the kickstart software package of the software image from the memory; 
 staging the system software package in the persistent storage; 
 identifying the software image for a subsequent secure boot; 
 determining, based on a look-up of a filename associated with the software image, that the system software package of the software image is staged in the persistent storage; 
 fetching the kickstart software package from the persistent storage; 
 verifying a digital signature of the kickstart software package; 
 booting the kickstart software package; 
 verifying hash information associated with the system software package; and 
 booting the system software package from the persistent storage. 
 
     
     
       7. The method of  claim 6 , the step of staging comprising:
 transferring the system software package from the memory to a partition in the persistent storage; and 
 writing the filename associated with the software image in a non-volatile memory. 
 
     
     
       8. The method of  claim 7 , further comprising:
 storing the hash information associated with the system software package in the partition of the persistent storage. 
 
     
     
       9. The method of  claim 6 , wherein the hash information is verified using asymmetric cryptography. 
     
     
       10. The method of  claim 6 , further comprising:
 creating a device mapper to establish a running context using the verified hash information associated with the system software package. 
 
     
     
       11. One or more computer-readable non-transitory storage media embodying instructions that, when executed by a processor, cause performance of operations comprising:
 identifying a software image for a first secure boot, the software image stored in a persistent storage and comprising a kickstart software package and a system software package; 
 fetching the software image, including the kickstart software package and the system software package, from the persistent storage to a memory; 
 verifying one or more digital signatures associated with the software image; 
 booting the kickstart software package of the software image from the memory; 
 staging the system software package in the persistent storage; 
 identifying the software image for a subsequent secure boot; 
 determining, based on a look-up of a filename associated with the software image, that the system software package of the software image is staged in the persistent storage; 
 fetching the kickstart software package from the persistent storage; 
 verifying a digital signature of the kickstart software package; 
 booting the kickstart software package; 
 verifying hash information associated with the system software package; and 
 booting the system software package from the persistent storage. 
 
     
     
       12. The one or more computer-readable non-transitory storage media of  claim 11 , wherein the operation of staging comprises:
 transferring the system software package from the memory to a partition in the persistent storage; and 
 writing the filename associated with the software image in a non-volatile memory. 
 
     
     
       13. The one or more computer-readable non-transitory storage media of  claim 12 , the operations further comprising:
 storing the hash information associated with the system software package in the partition of the persistent storage. 
 
     
     
       14. The one or more computer-readable non-transitory storage media of  claim 11 , wherein the hash information is verified using asymmetric cryptography.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.